38,39 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Wissenschaft und neue Technologien
- Sprache: Englisch
Boost your confidence and get the competitive edge you need to crack the exam in just 21 days!
About This Book
- Day-by-day plan to study and assimilate core concepts from CISSP CBK
- Revise and take a mock test at the end of every four chapters
- A systematic study and revision of myriad concepts to help you crack the CISSP examination
Who This Book Is For
If you are a Networking professional aspiring to take the CISSP examination and obtain the coveted CISSP certification (considered to be the Gold Standard in Information Security personal certification), then this is the book you want.
This book assumes that you already have sufficient knowledge in all 10 domains of the CISSP CBK by way of work experience and knowledge gained from other study books.
What You Will Learn
- Review Exam Cram and Practice review questions to reinforce the required concepts
- Follow the day–by-day plan to revise important concepts a month before the CISSP® exam
- Boost your time management for the exam by attempting the mock question paper
- Develop a structured study plan for all 10 CISSP® domains
- Build your understanding of myriad concepts in the Information Security domain
- Practice the full-blown mock test to evaluate your knowledge and exam preparation
In Detail
Certified Information Systems Security Professional (CISSP) is an internationally recognized and coveted qualification. Success in this respected exam opens the door to your dream job as a security expert with an eye-catching salary. But passing the final exam is challenging. Every year a lot of candidates do not prepare sufficiently for the examination, and fail at the final stage. This happens when they cover everything but do not revise properly and hence lack confidence.
This simple yet informative book will take you through the final weeks before the exam with a day-by-day plan covering all of the exam topics. It will build your confidence and enable you to crack the Gold Standard exam, knowing that you have done all you can to prepare for the big day.
This book provides concise explanations of important concepts in all 10 domains of the CISSP Common Body of Knowledge (CBK). Starting with Confidentiality, Integrity, and Availability, you will focus on classifying information and supporting assets. You will understand data handling requirements for sensitive information before gradually moving on to using secure design principles while implementing and managing engineering processes. You will understand the application of cryptography in communication security and prevent or mitigate strategies for network attacks. You will also learn security control requirements and how to assess their effectiveness. Finally, you will explore advanced topics such as automated and manual test result analysis and reporting methods.
A complete mock test is included at the end to evaluate whether you're ready for the exam. This book is not a replacement for full study guides; instead, it builds on and reemphasizes concepts learned from them.
Style and approach
There are many overlapping concepts that are applicable to more than one security domain in the CISSP exam. Hence, the eight security domains are aligned in a logical order so as to cover the concepts in the most appropriate sequence in this guide. Each chapter provides an illustration in the form of a flow diagram at the start to supply an overall view of the concepts covered in that chapter. This will facilitate a bird's-eye view of the chapter contents and the core security concepts covered. You can refer to this book throughout while preparing for the test or most importantly systematically revise the eight domains on a day-by-day basis up to one month before the exam. Hence the chapters are divided into 21 convenient days.
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 431
Veröffentlichungsjahr: 2016
Ähnliche
Table of Contents
CISSP in 21 Days Second Edition
CISSP in 21 Days Second Edition
Copyright © 2016 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: December 2008
Second edition: June 2016
Production reference: 1240616
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-78588-449-8
www.packtpub.com
Credits
Author
M. L. Srinivasan
Copy Editor
Yesha Gangani
Reviewer
John T. Schreiner
Project Coordinator
Ritika Manoj
Commissioning Editor
Veena Pagare
Proofreader
Safis Editing
Acquisition Editor
Divya Poojari
Indexer
Rekha Nair
Content Development Editor
Arun Nadar
Production Coordinator
Melwyn Dsa
Technical Editor
Rupali R. Shrawane
About the Author
M. L. Srinivasan is the founder and CEO of ChennaiNet, an India-based technology company focused on information technology and information security-related product development, services, and training. He's a Certified Information System Security Professional (CISSP) and Certified Information Security Management System Lead Auditor.
Popularly known as MLS, the author is an information technology and information security professional and has about 25 years' experience in various IT domains, such as software programming, hardware troubleshooting, networking technologies, systems administration, security administration, information security-related consulting, auditing and training.
He has been an avid trainer throughout his career and has developed many short-term and long-term training programs. He has been invited to speak at many international conferences and seminars on information security. Currently he is associated with NIIT Technologies (USA), and CA Technologies (USA) as a senior instructor covering various product-based training on CA identity manager, CA SiteMinder (Single Sign-On), CA ControlMinder (AccessControl), CA Federation Manager, and CA DataMinder products.
He was a specialist IT and IS auditor with Det Norske Veritas (DNV), India region. He has performed many quality and information security audits for hundreds of medium and large organizations in the past.
About the Reviewer
John Schreiner is a Major in the United States Marine Corps and a networking and security instructor. He serves as a Company Commander, responsible for training Marines on the East Coast on the latest commercial technologies (Cisco, Microsoft, Riverbed, Harris, and so on.). John brings experience teaching CISSP, Security+, and CCNA: Security.
John holds a CISSP, CCNA: Security, CCNP, CCDP, WCNA, and various other certifications. He also blogs at http://www.unadulteratednerdery.com/. In addition to this title, John was the technical reviewer for Cisco Unified Communications Manager 8: Expert Administration Cookbook, Tanner Ezell, Packt Publishing.
I'd like to thank my amazing wife, Jacki, whose steadfast support and embrace of my nerdy endeavors are a constant reminder that she’s the best thing that has ever happened to me.
www.PacktPub.com
For support files and downloads related to your book, please visit www.PacktPub.com.
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
https://www2.packtpub.com/books/subscription/packtlib
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books.
Why subscribe?
Free access for Packt account holders
If you have an account with Packt at www.packtpub.com, you can use this to access PacktLib today and view 9 entirely free books. Simply use your login credentials for immediate access.
To my Father who is the guiding force for everything I do
Preface
Certified Information System Security Professional (CISSP) is a coveted certification for an information security professional to achieve. Certified individuals are considered experienced and knowledgeable information security professionals. This is due to the fact that the certification's requirements are that the candidate not only has to pass the exam, but have 4 to 5 years of relevant practical experience in one or two domains of information security.
The exam is conducted by the International Information System Security Certification Consortium (ISC)²®, a nonprofit consortium that is the globally recognized Gold Standard for certifying information security professionals throughout their careers. (ISC)²® was founded in 1989 by industry leaders and has certified over 1,00,000 information security professionals across the globe.
While preparing for CISSP™, a candidate has to study many books and references. There are many books that cover the CISSP™ CBK™ domains in depth and provide a starting point for a thorough preparation for the exam. References to such books are covered in the references chapter at the end of this book. However, since there are many concepts spread across the eight security domains, it is an important starting point as a guide to explore deeper concepts, as well as refresh many concepts that need to be revised before the exam. This book addresses the requirements of the initial preparation for the exam, as well as revisiting the key concepts in these eight domains. To facilitate such a need core concept, the eight CISSP information security domains are explained in a short, simple, and lucid form.
What this book covers
Chapter 1, Day 1 – Security and Risk Management - Security, Compliance, and Policies, covers the foundational concepts in information security, such as Confidentiality, Integrity, and Availability (CIA) from the first domain of CISSP Common Body of Knowledge (CBK)®.
Chapter 2, Day2 – Security and Risk Management - Risk Management, Business Continuity, and Security Education, covers risk management practices that include the identification of risks through risk analysis and assessment, and mitigation techniques such as reduction, moving, transferring, and avoiding risks. An overview of business continuity requirements, developing and documenting project scopes and plans, and conducting business impact analyses is provided. Further more policies and practices pertaining to personnel security are covered.
Chapter 3, Day 3 – Asset Security - Information and Asset Classification, covers the classification of information and supporting assets; the collection of information, its handling and protection throughout its lifecycle, and ownership of information and its privacy; and data retention requirements and methods.
Chapter 4, Day 4 – Asset Security - Data Security Controls and Handling, covers data security controls that include Data Loss Prevention strategies, such as data at rest, data in transit, data in use, and data handling requirements for sensitive information.
Chapter 5, Day 5 – Exam Cram and Practice Questions, covers important concepts and information from the first two domains of the CISSP CBK, namely Security and Risk Management and Asset Security. They are provided in an exam-cram format for fast review and serve to reinforce of the two domains covered in the previous four chapters.
Chapter 6, Day 6 – Security Engineering - Security Design, Practices, Models, and Vulnerability Mitigation, covers concepts for using secure design principles while implementing and managing engineering processes. Information security models and system security evaluation models with controls and countermeasures, and security capabilities in information systems, are also covered. Also, vulnerability assessment and mitigation strategies in information systems, web-based systems, mobile systems, and embedded and cyber-physical systems are covered in detail.
Chapter 7, Day 7 – Security Engineering - Cryptography, covers the application of cryptography in information security requirements. Various concepts such as the cryptographic life cycle, types of cryptography, public key infrastructure, and so on are covered with illustrations. The methods of cryptanalytic attack are covered in detail with suitable examples.
Chapter 8, Day 8 – Communication and Network Security - Network Security, covers foundational concepts in network architecture and network security. IP and non-IP protocols, and their applications and vulnerabilities, are covered in detail, along with wireless networks and their security requirements. Application of cryptography in communication security, with illustrations and concepts related to securing network components.
Chapter 9, Day 9 – Communication and Network Security - Communication Security, covers communication channels such as voice, multimedia, remote access, data communications, virtualized networks, and so on, and their security requirements. Preventing or mitigating network attacks is also covered, with illustrations.
Chapter 10, Day 10 – Exam Cram and Practice Questions, covers important concepts and information from the third and fourth domains of the CISSP CBK, namely security engineering and communication and network security. They are provided in an exam cram format for fast review and serve to reinforce the two domains covered in the previous four chapters.
Chapter 11, Day 11 – Identity and Access Management - Identity Management, covers provisioning and managing the identities and the access used in the interaction between humans and information systems. Core concepts of identification, authentication, authorization, and accountability, are covered in detail. Concepts related to identity as a service or cloud-based third-party identity services are covered, as well as security requirements in such services, with illustrations.
Chapter 12, Day 12 – Identity and Access Management - Access Management, Provisioning, and Attacks, focuses on access control concepts, methods, attacks, and countermeasures in detail.
Chapter 13, Day 13 – Security Assessment and Testing - Designing and Performing Security Assessment and Tests, covers tools, methods, and techniques for identifying and mitigating risks due to architectural issues using systematic security assessment and testing of information assets and associated infrastructure. Security control requirements and their effectiveness assessment are also covered.
Chapter 14, Day 14 – Security Assessment and Testing - Controlling, Analyzing, Auditing, and Reporting, covers management and operational controls pertaining to security process data. Analyzing and reporting test outputs, either automated or through manual methods, and conducting or facilitating internal and third-party audits, are covered in detail.
Chapter 15, Day 15 – Exam Cram and Practice Questions, covers important concepts and information from the fifth and sixth domains of the CISSP CBK, namely Identity and Access Management and security assessment and testing. They are provided in an exam cram format for fast review and serve to reinforce the two domains covered in the previous four chapters.
Chapter 16, Day 16 – Security Operations - Foundational Concepts, covers physical security strategies that include secure facility and website design, data center security, hazards, and media storage. Concepts on logging and monitoring activities, investigations, security in the provision of resources, operations security, and resource protection techniques are covered in detail.
Chapter 17, Day 17 – Security Operations - Incident Management and Disaster Recovery, covers incident management, disaster recovery, and business continuity-related concepts that pertains to security operations.
Chapter 18, Day 18 – Software Development Security - Security in Software Development Life Cycle, covers the application of security concepts and the best practices for the production and development of software environments. Security in the software development life cycle is also covered in detail.
Chapter 19, Day 19 – Software Development Security - Assessing Effectiveness of Software Security, covers assurance requirements in software and ways to assess the effectiveness of software security. It also covers the different methods and techniques to assess the security impact of acquired software.
Chapter 20, Day 20 – Exam Cram and Practice Questions, covers important concepts and information from the seventh and eighth domains of the CISSP CBK®, namely security operations and software development security. They are provided in an exam cram format for fast review and serve to reinforce the two domains covered in the previous four chapters.
Chapter 21, Day 21 – Exam Cram and Mock Test, consists of an exam cram from all the eight domains in CISSP CBK®.
What you need for this book
There are no software/hardware requirements for this quick reference and revision guide. You only need to build your confidence with the systematic study and revision of the concepts in the information security domain to crack the CISSP examination.
Who this book is for
This book is for all aspirants who are planning to take the CISSP examination and obtain the coveted CISSP certification that is considered the "Gold Standard" in Information Security personal certification.
It assumes that the candidate already has sufficient knowledge in all the eight domains of the CISSP CBK by way of work experience and knowledge gained from other study books. This book provides concise explanations of the core concepts that are covered in the exam.
Conventions
In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.
Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "In a three-way handshake, first the client (workstation) sends a request to the server (for example, www.some_website.com)."
New terms and important words are shown in bold.
Note
Warnings or important notes appear in a box like this.
Tip
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book-what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.
To send us general feedback, simply e-mail [email protected], and mention the book's title in the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Downloading the color images of this book
We also provide you with a PDF file that has color images of the screenshots/diagrams used in this book. The color images will help you better understand the changes in the output. You can download this file from http://www.packtpub.com/sites/default/files/downloads/CISSPin21DaysSecondEdition_ColorImages.pdf.
Errata
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books-maybe a mistake in the text or the code-we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title.
To view the previously submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search field. The required information will appear under the Errata section.
Piracy
Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at [email protected] with a link to the suspected pirated material.
We appreciate your help in protecting our authors and our ability to bring you valuable content.
Questions
If you have a problem with any aspect of this book, you can contact us at [email protected], and we will do our best to address the problem.
Chapter 1. Day 1 – Security and Risk Management - Security, Compliance, and Policies
Information security and risk management are analogous to each other. The security and risk management domain forms the baseline for all information security concepts and practices. This is the first domain in CISSP CBK. Concepts on the key areas explained in this domain are across the next seven domains of CISSP, and will serve as the conceptual foundation for more complicated topics. Hence, a strong foundational knowledge in this domain will help the students in understanding the concepts in the rest of the domains.
A candidate appearing for the CISSP exam is expected to have foundational concepts and knowledge in the following key areas of the security and risk management domain:
This chapter gives an overview of Security, Compliance, and Policies using a high-level illustration. This is followed with an overview of asset and asset protection. Furthermore, the concepts of Confidentiality, Integrity, and Availability (CIA) are explained with suitable examples. Security governance principles, compliance frameworks, and legal and regulatory issues that can impact on compliance are covered from a global perspective. Management practices that relate to security policies, standards, procedures and guidelines, as well as personnel security policies, are covered toward the end.
Overview of security, compliance, and policies
Asset protection forms the baseline for security. Unintended disclosure and unauthorized modification or destruction of an asset can affect security.
Observe the following illustration:
Asset
Assets can be tangible, that is, perceptible by touch. An example of a tangible asset could be a desktop computer or a laptop. Assets can be intangible, that is, not have physical presence. An example of an intangible asset could be a corporate image or an intellectual property, such as patents.
Assets are used by the organization for business processes. Every asset, whether tangible or intangible, has a certain intrinsic value to the business. The value can be monetary, or of importance, or both. For example, a simple firewall that costs less than $10000 may be protecting important business applications worth millions of dollars.
If an asset is compromised, for example, stolen or modified, and the data or a secret information is disclosed, it will have an impact that could lead to monetary loss, customer dissatisfaction, or legal and regulatory non-compliance.
An asset can be hardware, software, data, process, product, or infrastructure that is of value to an organization, and hence, needs protection. The level of protection is based on the value of the asset to the business.
To assess protection requirements, assets are grouped based on the type of assets, such as tangible or intangible, physical or virtual, and computing or noncomputing. For example, a computer can be a physical asset as well as a computing asset, such as hardware.
Note
Note that equipment, such as plumbing tools, can also be called hardware in some countries. However, in the information security domain, hardware generally implies computing and computer-related equipment.
Assets are generally grouped as follows:
Note
Note that, in certain accounting practices, software can also be classified under Property, Plant and Equipment (PPE). However, in the information security domain, software is classified as an intangible asset. Besides, software or information may be stored in hardware or physical assets, such as on hard disk or DVD.
Asset protection
In the information security domain, asset protection involves security management practices that are subjected to business and compliance requirements. Such practices for asset protection are called security controls.
Types of security controls include:
This is not a comprehensive list of security controls. This book provides hundreds of such requirements and controls in subsequent chapters. However, a requirement or a control is not determined ad-hoc. Instead, asset protection requirements are identified through a structured method of risk analysis, evaluation, and assessment. Similarly, controls are identified through risk mitigation strategies. Risk assessment and risk mitigation strategies are covered in the next chapter.
Hence, asset protection requirements are based on risk. In order to understand risk, to perform risk assessment and select controls for asset protection, the concepts of CIA have to be understood first.
Confidentiality, Integrity, and Availability (CIA)
Information is a business asset and adds value to an organization. Information exists in many forms. It may be printed or written on paper, stored in electronic media, transmitted by electronic means, or spoken in conversations.
Information and its associated infrastructure are accessed and used in business by employees, third-party users or by automated processes. For example, an HR Manager accessing employee profile database through a database application. Each component in this activity, that is, HR manager, employee profile database, and the database application is called entities. Other examples would be a time-based job scheduler, such as cron in UNIX, such as operating systems, or a task scheduler in Windows, such as operating systems updating information through a script in a database. Here, scheduler application, the script or application it runs, and the data being accessed are entities.
Information assets and associated entities have certain levels of CIA requirements. A level could be a numeric value or representational value, such as high, low, or medium. The CIA triad is frequently referred to as tenets of information security. Tenet means something accepted as an important truth. The CIA values of an asset are established through risk analysis, which is a part of risk management. Concepts of risk management are covered in the next chapter.
Information security is characterized by preserving CIA values of an asset. Preserving is to ensure that the CIA values are maintained all the time and at all the locations. Hence, for an effective information security management, defining and maintaining CIA values is a primary requirement.
Confidentiality
Information needs to be disclosed to authorized entities for business processes, for example, an authorized employee accessing information about the prototype under development on the server. Confidentiality is to ensure that the information is not disclosed to unauthorized entities, for example, confidentiality is often achieved by encryption.
Integrity
Information has to be consistent and not altered or modified without established approval policies or procedures. Integrity is to maintain the consistency of the information internally as well as externally. This is to prevent unauthorized modification by authorized entities, for example, an update to the database record is made without approval.
Integrity is also to prevent authorized modification by unauthorized entities, for example, when malicious code is inserted in a web application by an unethical hacker. In this scenario, a hacker (an unauthorized entity) may modify an application through an established procedure (authorized update).
Availability
Availability is to ensure that information and associated services are available to authorized entities as and when required. For example, in an attack on the network through Denial-of-Service (DoS). Sometimes, an authorized update to an application may stop certain essential services and will constitute a breach in availability requirements, for example, inadvertently tripping over a server power cable may constitute as an availability breach.
Security governance
Information security for a long time was considered as a purely technical domain. Hence, the focus was to define and manage security predominantly through the Information Technology department in many organizations. It was more like protecting only the Information systems, such as computers and networks.
Information exists in many forms and the levels of assurance required vary, based on their criticality, business requirements and from legal, regulatory compliance requirements. Hence, the focus has to be on protecting the information itself, which is essential and much broader in scope compared to focusing only on Information Technology.
Information is a business asset and valuable to organizations. Information has a lifecycle. It could be handled, processed, transported, stored, archived, or destroyed. At any stage during the lifecycle, the information can be compromised. A compromise can affect the CIA requirements of the information.
Information protection is a business responsibility. It involves governance challenges, such as risk management, reporting, and accountability. Hence, it requires the involvement of senior management and the board to provide a strategic oversight for implementing and ensuring continual effectiveness.
Strategy, goals, mission, and objectives
Aligning and integrating information security with enterprise governance and IT governance frameworks is the primary strategy for the senior management and the board. It includes the definition of the current state of security and establishing goals and objectives to align with the corporate mission.
For such a strategy, goals and objectives will include understanding protection requirements, which are based on the value of information, expected outcomes of the information security program, benefits that are quantifiable, and methods to integrate information security practices with organizational practices.
A corporate mission is based on the definition of the business, its core purpose, values and beliefs, standards, and behaviors. An information security mission defines security requirements, their purpose, focus on risk management, commitment to continual maintenance, and the improvement of the information security program. Hence, aligning information security mission with the corporate's mission is one of the primary strategies of security governance.
Organizational processes
To support the information security strategy and to meet the goals and objectives, organizational processes need to be aligned to the mission. Such processes include defining the roles and responsibilities of the personnel involved with effective implementation and day-to-day management; establishing monitoring mechanisms that include reporting, review and approval processes, and ensuring that management support is available to such organizational processes.
Security roles and responsibilities
Information security is everyone's responsibility in any organization. Specific security roles and responsibilities are to be considered from the security governance perspective. Hence, the information security responsibilities of the board of directors/trustees, executives, steering committee, and chief information security officer are important at management level.
Control frameworks
To support the information security strategy and the mission, control frameworks are established by the organization. Such frameworks contain controls under three broad categories, namely, management, administrative, and technical.
Management controls
Management controls are characterized by stating the views of the management and their position in particular topics, such as information security.
For example, the Information security policy is a management control, wherein the management states its intent, support, and direction for security.
Administrative controls
While a policy is a high-level document that provides the intent of the management, administrative controls are to implement such policies.
For example, procedures, guidelines, and standards are administrative controls that support the policies. These are covered later in this chapter.
Technical controls
Information is stored and processed predominantly in IT systems. Hence, technical controls are established to support management and administrative controls in the information systems.
Firewall, intrusion detection systems, antivirus, and so on, are some examples of technical controls.
Due diligence and due care
It is important that intent and management support to information security programs is visible across the organization to investors and customers. Hence, an organization should demonstrate due diligence and due care pertaining to information security processes and activities.
Understanding risk and estimating the same, in view of the organizations' mission, prevailing threats, vulnerabilities, and attacks, and legal, regulatory compliance, form a part of the due diligence process by the management.
Implementing security governance by way of organizational processes, defining roles and responsibilities, establishing risk management processes, and monitoring effectiveness of the information security controls are due care activities by the management.
Compliance
Information security breaches in the past two decades have necessitated new security-related legal and regulatory frameworks or updates to existing legal and regulatory frameworks to include security-related compliance provisions across various countries. Requirements to comply with legal and legislative frameworks have increased exponentially due to global nature of the Internet, cross-border information exchange, electronic commerce, and services. Compliance frameworks are abundant with terms and jargon that a security professional should be aware of. Following are some of the legal and regulatory frameworks, terms, and jargons that are relevant to the Information Security domain.
Legislative and regulatory compliance
Common law is a law that is developed based on the decisions of courts and tribunals rather than through statutory laws (legislative statutes). The legal system that uses common law is called common law legal systems. Countries, such as the United Kingdom, the United States of America (most of the states in the USA), Canada, Australia, South Africa, India, Malaysia, Singapore, and Hong Kong follow common law.
There are three categories under common law that are generally established:
Statutory law, legislative statute, or statute law is a legal system that is set down by the legislature or executive branch of the government. Statutory law under certain instances is also termed as codified law.
Religious are legal systems based on religious principles. Examples include Hindu, Islam, and Christian laws.
Civil Law laws are legal systems based on religious principles. Examples include Hindu, Islam, and Christian laws.
Civil Law is a legal system based on codes and legislative statutes as opposed to common law. France, Germany, and many other countries in the world follow civil law. Hence, there is a civil law category in the common law system and a civil law system itself.
Privacy requirements in compliance
Privacy is protection of Personally Identifiable Information (PII)about individuals or Sensitive Personal Information (SPI) that can be used to identify a person in context with a group. Protection under privacy is from disclosure or selective disclosure based on the individual's preferences.
National Institute of Standards and Technology (NIST) has published a guide to protecting the confidentiality of the personally identifiable information-wide NIST special publication 800-122. As per the guide, PII is defined as any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
Privacy laws deal with protecting and preserving the rights of an individual's privacy.
A few examples of privacy laws in the United States include the following:
In the UK, they include the following:
Licensing and intellectual property
Intellectual Property (IP) refers to creative works using intellect, that is, mind, music, literary works, art, inventions, symbols, designs, and so on fall under intellectual property. The creator of such intellectual work has certain exclusive rights over the property. These exclusive rights are called Intellectual Property Rights (IPR).
Intellectual property law is a legal domain that deals with Intellectual Property Rights (IPR).
Following are some of the IPR-related terminologies:
Legal and regulatory issues
Information compromise or security breach that could lead to civil or criminal liability on the part of an organization will be grouped under legal and regulatory issues. For example, if a hacker intrudes into a system, obtains Personally Identifiable Information (PII), and publishes the same in an Internet portal, then the liability for failure to protect such information falls on the organization.
The following list of issues may have legal or regulatory ramifications.
Computer crimes
A computer crime is a fraudulent activity that is perpetrated against computer or IT systems. The motivation could be for financial gain, competitive gain, popularity, fame, or adventure.
In computer crime, the term computer refers to the role it plays in different scenarios. Whether the crime is committed against a computer, whether the crime is committed using the computer, whether the computer is incidental in the crime, or a combination of all the three.
The following paragraphs provide some of the common computer crimes. Remember, CIA compromise or breach will be the end result of a crime.
Fraud
Manipulation of computer records, such as data diddling, salami slicing, or any other techniques, or a deliberate circumvention of computer security systems, such as cracking or unethical hacking for monitory gain, is termed as fraud.
Note
Data diddling is a malicious activity to change the data during input or processing stage of a software program to obtain financial gain. Salami slicing, also known as penny shaving, is a fraudulent activity to regularly siphon extremely small quantity of money so as to prevent from being observed or caught.
Hacking refers to the discovery of vulnerabilities, holes, or weaknesses in computer software and associated IT systems either to exploit the same for improvising the security or to prevent intentional fraud. Hackers are persons who do hacking. However, hacking is classified with different names to distinguish the objective:
Theft
Identity theft is to steal someone's identity. The intention is to pretend to be someone else to commit fraud. Stealing passwords, login credentials, and credit card information are examples of identity theft.
Intellectual property theft is stealing software code or designs for financial gain.
Malware/malicious code
A malware is malicious software that is designed to compromise, damage, or affect the general functioning of computers, gain unauthorized access, collect private, and sensitive information and/or corrupt the data.
Writing or spreading malware is a computer crime. Viruses, worms, Trojan horses, spyware, such as Key logger, and so on are examples of malware and are explained as follows:
Note
Social engineering is a type of nonintrusive attack in which humans are tricked into circumventing security controls. Some of the attacks, such as phishing and Cross Site Request Forgery (CSRF), use social engineering techniques. More details about CSRF are covered in Chapter 6, Day 6 – Security Engineering - Security Design, Practices, Models and Vulnerability Mitigation.
Cyber crime
Criminal activities that are perpetrated using communication networks, such as the Internet, telephone, wireless, satellite, and mobile networks, are called as cyber crimes:
Tip
More details about botnets are covered in Chapter 6, Day 6 – Security Engineering - Security Design, Practices, Models and Vulnerability Mitigation.
Making and digitally distributing child pornography is a cyber crime.
Digitally distributing and storing copyrighted materials of others without the copyright owner's explicit permission is a cyber crime.
Using e-mail communication to disrupt or send unsolicited commercial e-mails or induce the user to perform certain actions to steal information or money fall under cyber crime.
Following are examples of such crimes:
